Tag Archives: zeus

Cybercrooks run their organizations like businesses these days. They have multinational offices, marketing departments, business development, and technical support teams. Maybe they also need some security… Malware entrepreneur sentenced to 57 months in prison One such malware entrepreneur, Alex Yucel, sold malware through a website that he operated, to other hackers. The Blackshades malware allowed […]

The FBI, along with the Department of Justice, announced a multinational effort on their website that has disrupted a botnet called GameOver Zeus. GameOver Zeus has infected millions of Internet users around the world and has stolen millions of dollars. The UK’s National Crime Agency (NCA) has worked closely with the FBI to crack […]

The biggest bank robbery of all time was identified in Brazil in 2005. In this case, a gang broke into a bank by tunneling through 1.1 meters of steel and reinforced concrete and then removed 3.5 tons of containers holding bank notes. This heist resulted in the loss of about 160 million Brazilian dollars (US$380 million).

Robbers today, however, don’t have to bother with drilling through walls to steal money. They can rob a bank while sitting comfortably at home behind a computer. Thanks to cybercrime, organizations have suffered financial losses in the order of millions. The Symantec State of Financial Trojans 2013 whitepaper shows that banking Trojans are becoming more prevalent. Apart from other more common malware such as Zeus and Spyeye, one of the most popular financial malware that cybercriminals currently use is a threat called Tiylon. This Trojan uses a man-in-the-browser (MITB) attack to intercept user authentications and transaction authorizations on online banking sites.

Initial infection by targeted attack
Tiylon typically arrives as an attachment in the form of a short email to attempt to evade antispam filters. Unlike most spam campaigns associated with financial Trojans (like Zeus), Tiylon emails are part of a targeted attack. Symantec telemetry shows the attack targets online banking users in several different regions around the world, with a particular focus on the UK, US, Italy, Australia, and Japan (Figure 2).

Figure 1. Tiylon email with a malicious attachment.

The threat consists of three different files: a downloader, a main component file, and a configuration file.

Downloader file
The downloader acts as a load point and is responsible for the installation of the main component file. When the downloader executes, it constructs system information derived by the computer’s serial number and establishes a connection to the attacker’s command-and-control (C&C) server. When the connection is established, a registry key is created.

The downloader then injects code into explorer.exe and svchost.exe to initiate malicious activity.

Main component file
The main component file is downloaded and decrypted by the Tiylon downloader file. This component collects a configuration file from the C&C server to specify the parameters of the attack. The component also manipulates registry settings to reduce the security of the computer and browser. This is also the component that intercepts communications between the user and financial institution websites.

Core functionalities include the following:

Performs Web injection attacks

Logs key strokes

Captures screenshots

Starts FTP and RDP servers

Starts Remote Desktop Protocol (RDP)

Reads certificates

Downloads and executes files

Create services

Hook operating system APIs in order to steal network data

Inject code into other processes

Log off, restart, or shut down the compromised computer

Perform process injections into Web browsers

Tiylon attempts to evade detection by inspecting directories and installed applications. It also tries to find out if the computer is a virtual machine by checking the process list. If the C&C server finds any environment that could detect malicious activities, it may ban the computer’s IP address and then try to infect other users. It may also force some non Symantec antivirus software to set exclusions, helping the threat avoid detection. The malware code itself is obfuscated and has several packing cycles, which complicates analysis.

Timeline of attacks
The Tiylon attacks occured between January 1, 2012, and October 1, 2013.

Table 1. Tiylon attack numbers by country

Figure 2. Animation showing Tiylon attack numbers by country

Symantec protects customers against Tiylon with the following anitvirus and IPS detections:

Symantec recommends users to have the most up-to-date software patches and definitions in place to protect against threats. In this particular case, we suggest installing an antispam solution for your email client and refrain from opening suspicious attachments.

“Because that’s where the money is!” This is a quote frequently attributed to Willie Sutton as the answer he allegedly gave when asked why he robbed banks. Even though Mr. Sutton never gave this answer, it still holds true.

This paradigm also holds true when it comes to today’s financial malware. Online banking applications are where money is moved; hence they are also the focus of attackers. It should not come as a surprise that we still see further development of Trojans targeting online banking services. One example that we recently blogged about is the Neverquest Trojan, a successor of Trojan.Snifula, which was first seen in 2006 but is still in use.

The number of infections of the most common financial Trojans grew to 337 percent in the first nine month of 2013. This represents nearly half a million infected computers per month that are susceptible to fraud. To get a better understanding of the mechanics behind financial Trojans and the scale of their operations, we analyzed over one thousand recent configuration files belonging to eight online banking Trojans. These configuration files define which URLs the Trojan should attack and what attack strategy to use. Attacks vary from simple user redirection to complex Web-injects, which can automatically conduct transactions in the background. The analyzed configuration files targeted 1,486 organizations in total. This highlights the wide distribution of the Trojans, which target everything that could yield a monetary profit for the attacker.

The most frequently attacked bank is located in the US and was present in 71.5 percent of all the examined Trojans’ configuration files. All of the top 15 targeted banks were found in more than 50 percent of the configuration files. This means that every second Trojan targets at least one of these banks. These high numbers might be because the targeted URLs are present as examples in some of the basic toolkits, which are sold with the Trojans. Another reason could be that the Trojans simply still work against these firms, as not all financial institutions have moved to strong authentication yet. Of course, most financial institutions are aware of these cybercrime developments and are deploying new protection mechanisms to block such attacks. Unfortunately, new security measures take time and money to roll out and the attackers will always come up with new attack avenues. After all, social engineering attacks still work, since some people will always fall for a cleverly crafted story. We expect that we will continue to see attacks targeting online banking services in the coming year.

“Because that’s where the money is!” This is a quote frequently attributed to Willie Sutton as the answer he allegedly gave when asked why he robbed banks. Even though Mr. Sutton never gave this answer, it still holds true.

This paradigm also holds true when it comes to today’s financial malware. Online banking applications are where money is moved; hence they are also the focus of attackers. It should not come as a surprise that we still see further development of Trojans targeting online banking services. One example that we recently blogged about is the Neverquest Trojan, a successor of Trojan.Snifula, which was first seen in 2006 but is still in use.

The number of infections of the most common financial Trojans grew to 337 percent in the first nine month of 2013. This represents nearly half a million infected computers per month that are susceptible to fraud. To get a better understanding of the mechanics behind financial Trojans and the scale of their operations, we analyzed over one thousand recent configuration files belonging to eight online banking Trojans. These configuration files define which URLs the Trojan should attack and what attack strategy to use. Attacks vary from simple user redirection to complex Web-injects, which can automatically conduct transactions in the background. The analyzed configuration files targeted 1,486 organizations in total. This highlights the wide distribution of the Trojans, which target everything that could yield a monetary profit for the attacker.

The most frequently attacked bank is located in the US and was present in 71.5 percent of all the examined Trojans’ configuration files. All of the top 15 targeted banks were found in more than 50 percent of the configuration files. This means that every second Trojan targets at least one of these banks. These high numbers might be because the targeted URLs are present as examples in some of the basic toolkits, which are sold with the Trojans. Another reason could be that the Trojans simply still work against these firms, as not all financial institutions have moved to strong authentication yet. Of course, most financial institutions are aware of these cybercrime developments and are deploying new protection mechanisms to block such attacks. Unfortunately, new security measures take time and money to roll out and the attackers will always come up with new attack avenues. After all, social engineering attacks still work, since some people will always fall for a cleverly crafted story. We expect that we will continue to see attacks targeting online banking services in the coming year.